As a security measure, I am trying to get a massive dictionary of words together, and each time a user changes his/her password, it checks the list to see if the password is in it. My question is, are there any pre-built lists of this nature? I am currently only using a spelling dictoinary, and would like somthing a little bigger.
| As a security measure, I am trying to get a massive dictionary of words | together, and each time a user changes his/her password, it checks the list to | see if the password is in it. My question is, are there any pre-built lists of | this nature? I am currently only using a spelling dictoinary, and would like | somthing a little bigger. Look on coast.cs.purdue.edu in the password/Crack areas. Adam -- "It is seldom that liberty I Support The Phil of any kind is lost all at Zimmermann legal defense fund once." -Hume http://www.netresponse.com/zldf ------------------ PGP.ZIP Part [001/713] ------------------- M4$L#!!0````(`">9ZQX3(*,_DG8!`-JF`P`'````4$=0+D581>S;=UQ3U__X M\9M!$E8,TT@PJ$10$1=*41%WW`KX$=Q[M5KK`&R%(HH+(T.M"S>NME8K=31N M:A$[K+5(K:O5BE405ZE:1"3?UTW`:K_]\/G\?O_^?CX>3^_-S;GGO,^\`^@W ------------------------------------------------------------- for next chunk to export --> http://dcs.ex.ac.uk/~aba/export/
"It's supposed to crash like that." <gorkab@sanchez.com> writes: As a security measure, I am trying to get a massive dictionary of words together, and each time a user changes his/her password, it checks the list t o see if the password is in it. My question is, are there any pre-built lists of this nature? I am currently only using a spelling dictoinary, and would like somthing a little bigger.
Yes, there are -- see ftp.ox.ac.uk for a lovely set of them. This is a reasonable approach, but it's insufficient: you also need to check lots of variants on the words. I'd suggest looking at the code in Programming Perl (Larry Wall and Randal L. Schwartz) for checking potential passwords, and I'd suggest looking at the initial ruleset used by Crack, the Unix password cracking tool; the same rules should be good for any kind of password scheme. Also you should be aware that cracking passwords is passe' these days: it's much easier to run an ethernet sniffer and gather them wholesale. Every little bit helps, though. Jim Gillogly Sterday, 28 Afterlithe S.R. 1995, 19:54
As a security measure, I am trying to get a massive dictionary of words together, and each time a user changes his/her password, it checks the list to see if the password is in it. My question is, are there any pre-built lists of this nature? I am currently only using a spelling dictoinary, and would like somthing a little bigger.
You're re-inventing the wheel. look for npasswd or passwd+. Both do things like that. Or, better yet, don't use dictionaries at all (they're out of date as soon as they're made available). Use rules that force your users to choose good passwords (just don't be too Draconian. ;). We have a rule that says a user must choose at least one upper case character, one lower case character, and one number, symbol, or control character in his/her password. It's met little resistance, a few complaints, and it's immune to most dictionary password schemes. The only other restriction is that they must have at least 6 characters in their passwords. That was already "mostly" enforced, so there was no problem there. This prevents people from picking passwords like the name of a significant other, the name of a place, or some foreign language word that normal dictionaries wouldn't necessarily catch, but some password cracking program "might" (depending on who has the more recent dictionary). This really is more along the charter of comp.unix.security though, and not cypherpunks (IMHO). -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu "Real programmers use cat > file.as"
participants (4)
-
Adam Shostack -
Doug Hughes -
It's supposed to crash like that. -
Jim Gillogly